Hi,
I am using OpenLDAP as a client to connect to a 3rd party Oracle Internet Directory 10g.
After recent updates, I have been unable to successfully bind with the LDAP server. I believe this is an error with the SSL handshake because the following command will not negotiate an SSL protocol:
$ openssl s_client -connect HOST:636 ... Failure
While adding the -no_tls1 flag will:
$ openssl s_client -connect HOST:636 -no_tls1 ... Success
When I attempt to connect to the server using ldapsearch, I receive the following:
$ ldapsearch -d7 -x -H ldaps://HOST:636 -D "BIND_DN" -W ldap_url_parse_ext(ldaps://HOST:636) ldap_create ldap_url_parse_ext(ldaps://HOST:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP HOST:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying HOST_IP:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: could not add the certificate (null) - error -8018:Unknown PKCS #11 error.. TLS: /etc/openldap/cacerts/addtrust-ca.crt is not a valid CA certificate file - error -8018:Unknown PKCS #11 error.. TLS: could perform TLS system initialization. TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error. TLS: can't create ssl handle. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) TLS: could not shutdown NSS - error -8053:NSS could not shutdown. Objects are still in use..
Is there a way, either through the ldap.conf, an environment variable, or through the API, to ignore the TLS portion of the handshake? Am I mistaken and something else is wrong here?
Regards, Jon
--On Tuesday, March 20, 2012 3:51 PM -0700 Jon Dufresne jon@erezlife.com wrote:
Hi,
I am using OpenLDAP as a client to connect to a 3rd party Oracle Internet Directory 10g.
After recent updates, I have been unable to successfully bind with the LDAP server. I believe this is an error with the SSL handshake because the following command will not negotiate an SSL protocol:
Who built your OpenLDAP? What SSL software is it linked to? For example, RHEL platforms tend to use MozNSS. Debian/Ubuntu use GnuTLS. Sane OSes use OpenSSL. From the looks of it, you are using an NSS linked OpenLDAP client. I suggest you build your own client against OpenSSL.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On Tue, 2012-03-20 at 16:13 -0700, Quanah Gibson-Mount wrote:
Who built your OpenLDAP? What SSL software is it linked to? For example, RHEL platforms tend to use MozNSS. Debian/Ubuntu use GnuTLS. Sane OSes use OpenSSL. From the looks of it, you are using an NSS linked OpenLDAP client. I suggest you build your own client against OpenSSL.
I am using OpenLDAP as built by Red Hat for RHEL 6.2, openldap-2.4.23-20.el6.x86_64.
$ ldd /usr/bin/ldapsearch linux-vdso.so.1 => (0x00007fff8816e000) libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x000000391c400000) liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x000000391c000000) libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0000003031400000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x0000003026000000) libresolv.so.2 => /lib64/libresolv.so.2 (0x0000003021c00000) libssl3.so => /usr/lib64/libssl3.so (0x000000391b800000) libsmime3.so => /usr/lib64/libsmime3.so (0x000000391bc00000) libnss3.so => /usr/lib64/libnss3.so (0x000000391b400000) libnssutil3.so => /usr/lib64/libnssutil3.so (0x000000305a800000) libplds4.so => /lib64/libplds4.so (0x0000003059c00000) libplc4.so => /lib64/libplc4.so (0x000000305ac00000) libnspr4.so => /lib64/libnspr4.so (0x000000305a000000) libc.so.6 => /lib64/libc.so.6 (0x000000301fc00000) libdl.so.2 => /lib64/libdl.so.2 (0x0000003020000000) libfreebl3.so => /lib64/libfreebl3.so (0x0000003025c00000) libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003020400000) libz.so.1 => /lib64/libz.so.1 (0x0000003020c00000) /lib64/ld-linux-x86-64.so.2 (0x000000301f800000)
I suggest you build your own client against OpenSSL.
This is kind of a last resort as I am not maintaining the environment being used.
Are you aware of known issues with this build configuration connecting to Oracle?
Jon
--On Tuesday, March 20, 2012 4:45 PM -0700 Jon Dufresne jon@erezlife.com wrote:
On Tue, 2012-03-20 at 16:13 -0700, Quanah Gibson-Mount wrote:
This is kind of a last resort as I am not maintaining the environment being used.
Are you aware of known issues with this build configuration connecting to Oracle?
Yes, it uses MozNSS. That is a known problem.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On Mar 20, 2012, at 3:51 PM, Jon Dufresne wrote:
Hi,
I am using OpenLDAP as a client to connect to a 3rd party Oracle Internet Directory 10g.
After recent updates, I have been unable to successfully bind with the LDAP server. I believe this is an error with the SSL handshake because the following command will not negotiate an SSL protocol:
$ openssl s_client -connect HOST:636 ... Failure
While adding the -no_tls1 flag will:
$ openssl s_client -connect HOST:636 -no_tls1 ... Success
When I attempt to connect to the server using ldapsearch, I receive the following:
$ ldapsearch -d7 -x -H ldaps://HOST:636 -D "BIND_DN" -W ldap_url_parse_ext(ldaps://HOST:636) ldap_create ldap_url_parse_ext(ldaps://HOST:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP HOST:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying HOST_IP:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: could not add the certificate (null) - error -8018:Unknown PKCS #11 error.. TLS: /etc/openldap/cacerts/addtrust-ca.crt is not a valid CA certificate file - error -8018:Unknown PKCS #11 error.. TLS: could perform TLS system initialization. TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error. TLS: can't create ssl handle. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) TLS: could not shutdown NSS - error -8053:NSS could not shutdown. Objects are still in use..
Is there a way, either through the ldap.conf, an environment variable, or through the API, to ignore the TLS portion of the handshake? Am I mistaken and something else is wrong here?
---- with deference to the obvious security implications, does adding TLS_REQCERT allow to ldap.conf help?
Craig
On 03/20/2012 04:51 PM, Jon Dufresne wrote:
Hi,
I am using OpenLDAP as a client to connect to a 3rd party Oracle Internet Directory 10g.
After recent updates, I have been unable to successfully bind with the LDAP server. I believe this is an error with the SSL handshake because the following command will not negotiate an SSL protocol:
$ openssl s_client -connect HOST:636 ... Failure
While adding the -no_tls1 flag will:
$ openssl s_client -connect HOST:636 -no_tls1 ... Success
When I attempt to connect to the server using ldapsearch, I receive the following:
$ ldapsearch -d7 -x -H ldaps://HOST:636 -D "BIND_DN" -W ldap_url_parse_ext(ldaps://HOST:636) ldap_create ldap_url_parse_ext(ldaps://HOST:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP HOST:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying HOST_IP:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: could not add the certificate (null) - error -8018:Unknown PKCS #11 error.. TLS: /etc/openldap/cacerts/addtrust-ca.crt is not a valid CA certificate file - error -8018:Unknown PKCS #11 error.. TLS: could perform TLS system initialization. TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error. TLS: can't create ssl handle. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) TLS: could not shutdown NSS - error -8053:NSS could not shutdown. Objects are still in use..
Is there a way, either through the ldap.conf, an environment variable, or through the API, to ignore the TLS portion of the handshake?
That's not your problem, nor is it specific to Oracle: TLS: could not add the certificate (null) - error -8018:Unknown PKCS #11 error.. TLS: /etc/openldap/cacerts/addtrust-ca.crt is not a valid CA certificate file - error -8018:Unknown PKCS #11 error..
Can you paste your /etc/openldap/cacerts/addtrust-ca.crt?
Am I mistaken and something else is wrong here?
Regards, Jon
On Tue, 2012-03-20 at 18:24 -0600, Rich Megginson wrote:
That's not your problem, nor is it specific to Oracle: TLS: could not add the certificate (null) - error -8018:Unknown PKCS #11 error.. TLS: /etc/openldap/cacerts/addtrust-ca.crt is not a valid CA certificate file - error -8018:Unknown PKCS #11 error..
Can you paste your /etc/openldap/cacerts/addtrust-ca.crt?
My user does not have permission to read this file. The file's permissions are:
-rw-------. 1 root root 1521 Mar 12 15:28 addtrust-ca.crt
Now that it is pointed out, this seems incorrect. Should this be changed to mode 644?
Jon
On 03/21/2012 10:09 AM, Jon Dufresne wrote:
On Tue, 2012-03-20 at 18:24 -0600, Rich Megginson wrote:
That's not your problem, nor is it specific to Oracle: TLS: could not add the certificate (null) - error -8018:Unknown PKCS #11 error.. TLS: /etc/openldap/cacerts/addtrust-ca.crt is not a valid CA certificate file - error -8018:Unknown PKCS #11 error..
Can you paste your /etc/openldap/cacerts/addtrust-ca.crt?
My user does not have permission to read this file. The file's permissions are:
-rw-------. 1 root root 1521 Mar 12 15:28 addtrust-ca.crt
Now that it is pointed out, this seems incorrect. Should this be changed to mode 644?
Yes.
Jon
On Wed, 2012-03-21 at 10:27 -0600, Rich Megginson wrote:
On 03/21/2012 10:09 AM, Jon Dufresne wrote:
Now that it is pointed out, this seems incorrect. Should this be changed to mode 644?
Yes.
Thanks!
With that fixed I am now closer to connecting. As originally thought the SSL handshake is failing.
Doing the same ldapsearch I now receive the following output:
$ ldapsearch -d7 -x -H ldaps://HOST:636 -D "BASE_DN" -W ldap_url_parse_ext(ldaps://HOST:636) ldap_create ldap_url_parse_ext(ldaps://HOST:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP HOST:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying HOST_IP:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: loaded CA certificate file /etc/openldap/cacerts/addtrust-ca.crt. tls_write: want=70, written=70 0000: 16 03 01 00 41 01 00 00 3d 03 01 4f 6a 16 7c 2b ....A...=..Oj.|+ 0010: 10 6a 06 5b f3 d0 05 28 48 34 82 53 f8 3a 88 7b .j.[...(H4.S.:.{ 0020: 42 0e 39 d0 7c 2f cb 32 91 33 2b 00 00 16 00 ff B.9.|/.2.3+..... 0030: 00 35 00 04 00 05 00 2f 00 0a 00 09 00 64 00 62 .5...../.....d.b 0040: 00 03 00 06 01 00 ...... tls_read: want=5, got=5 0000: 15 03 00 00 02 ..... tls_read: want=2, got=2 0000: 02 0a .. TLS: error: connect - force handshake failure: errno 21 - moznss error -12229 TLS: can't connect: TLS error -12229:SSL peer was not expecting a handshake message it received.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
As noted before, I can reproduce the handshake failure with OpenSSL's s_client.
$ openssl s_client -connect HOST:636 ... Failure
While adding the -no_tls1 flag will:
$ openssl s_client -connect HOST:636 -no_tls1 ... Success
My first thought was to pass along the no TLS option to OpenLDAP. Is this possible? Or should I be taking a different approach?
Thanks, Jon
On 03/21/2012 01:06 PM, Jon Dufresne wrote:
On Wed, 2012-03-21 at 10:27 -0600, Rich Megginson wrote:
On 03/21/2012 10:09 AM, Jon Dufresne wrote:
Now that it is pointed out, this seems incorrect. Should this be changed to mode 644?
Yes.
Thanks!
With that fixed I am now closer to connecting. As originally thought the SSL handshake is failing.
Doing the same ldapsearch I now receive the following output:
$ ldapsearch -d7 -x -H ldaps://HOST:636 -D "BASE_DN" -W ldap_url_parse_ext(ldaps://HOST:636) ldap_create ldap_url_parse_ext(ldaps://HOST:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP HOST:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying HOST_IP:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: loaded CA certificate file /etc/openldap/cacerts/addtrust-ca.crt. tls_write: want=70, written=70 0000: 16 03 01 00 41 01 00 00 3d 03 01 4f 6a 16 7c 2b ....A...=..Oj.|+ 0010: 10 6a 06 5b f3 d0 05 28 48 34 82 53 f8 3a 88 7b .j.[...(H4.S.:.{ 0020: 42 0e 39 d0 7c 2f cb 32 91 33 2b 00 00 16 00 ff B.9.|/.2.3+..... 0030: 00 35 00 04 00 05 00 2f 00 0a 00 09 00 64 00 62 .5...../.....d.b 0040: 00 03 00 06 01 00 ...... tls_read: want=5, got=5 0000: 15 03 00 00 02 ..... tls_read: want=2, got=2 0000: 02 0a .. TLS: error: connect - force handshake failure: errno 21 - moznss error -12229 TLS: can't connect: TLS error -12229:SSL peer was not expecting a handshake message it received.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
As noted before, I can reproduce the handshake failure with OpenSSL's s_client.
$ openssl s_client -connect HOST:636 ... Failure
While adding the -no_tls1 flag will:
$ openssl s_client -connect HOST:636 -no_tls1 ... Success
My first thought was to pass along the no TLS option to OpenLDAP. Is this possible? Or should I be taking a different approach?
Although it is not in the ldap.conf man page, it is in the ldap_set_config man page - the option is TLS_PROTOCOL_MIN
Try this: LDAPTLS_PROTOCOL_MIN=769 ldapsearch -d7 -x -H ldaps://HOST:636 -D "BASE_DN" -W
Thanks, Jon
Jon Dufresne wrote:
On Tue, 2012-03-20 at 18:24 -0600, Rich Megginson wrote:
That's not your problem, nor is it specific to Oracle: TLS: could not add the certificate (null) - error -8018:Unknown PKCS #11 error.. TLS: /etc/openldap/cacerts/addtrust-ca.crt is not a valid CA certificate file - error -8018:Unknown PKCS #11 error..
Can you paste your /etc/openldap/cacerts/addtrust-ca.crt?
My user does not have permission to read this file. The file's permissions are:
-rw-------. 1 root root 1521 Mar 12 15:28 addtrust-ca.crt
Now that it is pointed out, this seems incorrect. Should this be changed to mode 644?
There's no point to set this strict permissions. Public-key CA certs are just that: public. So 0644 file permissions seems most appropriate.
Ciao, Michael.
On 03/20/2012 04:51 PM, Jon Dufresne wrote:
Hi,
I am using OpenLDAP as a client to connect to a 3rd party Oracle Internet Directory 10g.
After recent updates, I have been unable to successfully bind with the LDAP server. I believe this is an error with the SSL handshake because the following command will not negotiate an SSL protocol:
$ openssl s_client -connect HOST:636 ... Failure
While adding the -no_tls1 flag will:
$ openssl s_client -connect HOST:636 -no_tls1 ... Success
When I attempt to connect to the server using ldapsearch, I receive the following:
$ ldapsearch -d7 -x -H ldaps://HOST:636 -D "BIND_DN" -W ldap_url_parse_ext(ldaps://HOST:636) ldap_create ldap_url_parse_ext(ldaps://HOST:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP HOST:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying HOST_IP:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: could not add the certificate (null) - error -8018:Unknown PKCS #11 error.. TLS: /etc/openldap/cacerts/addtrust-ca.crt is not a valid CA certificate file - error -8018:Unknown PKCS #11 error.. TLS: could perform TLS system initialization. TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error. TLS: can't create ssl handle. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) TLS: could not shutdown NSS - error -8053:NSS could not shutdown. Objects are still in use..
Is there a way, either through the ldap.conf, an environment variable, or through the API, to ignore the TLS portion of the handshake? Am I mistaken and something else is wrong here?
What is your version of nss? rpm -qi nss
Regards, Jon
On Tue, 2012-03-20 at 19:03 -0600, Rich Megginson wrote:
What is your version of nss? rpm -qi nss
$ rpm -qi nss Name : nss Relocations: (not relocatable) Version : 3.13.1 Vendor: Red Hat, Inc. Release : 7.el6_2 Build Date: Tue 28 Feb 2012 09:02:27 PM EST Install Date: Tue 13 Mar 2012 10:06:22 AM EDT Build Host: x86-002.build.bos.redhat.com Group : System Environment/Libraries Source RPM: nss-3.13.1-7.el6_2.src.rpm Size : 2536720 License: MPLv1.1 or GPLv2 + or LGPLv2+ Signature : RSA/8, Wed 29 Feb 2012 04:23:59 PM EST, Key ID 199e2f91fd431d51 Packager : Red Hat, Inc. http://bugzilla.redhat.com/bugzilla URL : http://www.mozilla.org/projects/security/pki/nss/ Summary : Network Security Services Description : Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.
openldap-technical@openldap.org
-
Craig White -
Jon Dufresne -
Michael Ströder -
Quanah Gibson-Mount -
Rich Megginson